It had to reconcile the GDPR with more restrictive national employment laws.
The CJEU has ruled in the case of In X-FAB Dresden GmbH & Co KG v FC (Case C-453/21).
It was asked by the German courts to decide if a data protection officer is subject to a conflict of interests and if the GDPR precludes national legislation which sets out more protective specific provisions on the dismissal of a data protection officer.
In this case, FC was employed by X-FAB from 1 November 1993. He performed the duties of chair of the works council in that company. He was also vice-chair of the central works council which was established for three undertakings in the German group of companies to which X-FAB belongs. From 1 June 2015, FC was appointed, by each undertaking separately, as the DPO of X-FAB, its parent company and the other subsidiaries of the parent company established in Germany. According to the referring court, the aim of that appointment in parallel of FC as the DPO of all those undertakings was to ensure a uniform level of data protection in those undertakings.
At the request of the state officer for data protection and freedom of information of Thüringen, X-FAB dismissed FC as data protection officer. FC brought court proceedings seeking a declaration that the retains the position of DPO of X-FAB. X-FAB argued that there is a risk of a conflict of interests if FC simultaneously performs the functions of DPO and chair of the works council, on the ground that those two posts are incompatible. There is, therefore, a just cause justifying FC's dismissal as DPO.
German laws gave data protection officers more protection than the GDPR which provides that data protection officers may not be dismissed or penalised for performing his tasks.
The courts of first instance and of appeal upheld FC's action. X-FAB appealed to the Bundesarbeitsgericht (Federal Labour Court, Germany). It had to reconcile the two laws and referred the case to the CJEU.
The court ruled that:
This decision is not binding in the UK. However, the UK GDPR reflects the provisions concerning the dismissal of a data protection officer and conflict of interests.
Published: 2023-02-24T14:00:00